Oracle Financial System

1
Oracle Financial System
Step 3

• Project Team
• Xuegong Wang
• Jun Lu
• ZhengChun Mo
• Patrick Zhu
• Thomas Verghese
• Weicheng Wong

Date 14th November, 2001
2
AGENDA

• Review User Scenarios
• Attacker Profiles
• Intrusion Scenarios
• Compromisable Components

3
Current Architecture
4
Essential Components

• Oracle Database
• Web Server
• Form Server
• Firewall
• Kerberos Authentication System

5
Who are the attackers

• CMU Student Hackers
• Activists
• Former employee /Disgruntled employee

6
Intrusion 1 Attacker Profile

• CMU Student Hackers
• Attacker Recreational hacker
• Resources limited
• Time Not have much free time as a CMU student,
  look for opportunity.
• Tools Readily available tool kit.
• Access External to system but inside the CMU
  domain
• Risk May not understand risk, but highly risk
  averse.
• Objective To develop hacking skills.

7
Intrusion 1 Level of Attack

• Target-of-Opportunity Attack
• The attacker has limited knowledge of internal
  system
• The attacker uses readily available tools to scan
  and probe systems to take advantage of know
  vulnerabilities
• There is a high frequency of these attacks

8
Intrusion Scenario 1 Denial of Service
acis.as.cmu.edu
Proxy
Email Server

RC40
SSL
Oracle Net 8
Student Hacker
Web Server
Form Server
DB
CMU DOMAIN
Mistral.cmu.edu
Fire Wall
9
Intrusion 2 Attacker Profile

• Activist
• Attacker political/ethical activist
• Resources limited, but could have
  expert/internal help.
• Time Patient, may target specific events.
• Tools Readily available tool kit
• Access External to system but somehow illegally
  get into the the CMU domain.
• Risk Understand risk and dont care.
• Objective To impact CMU policy./To make specific
  target unhappy.

10
Intrusion 2 Level of Attack

• Intermediate Attack
• The attacker may have some knowledge of internal
  system.
• The attacker uses readily available tools to scan
  and probe systems to take advantage of know
  vulnerabilities.
• Higher level of success.
• There is a medium frequency of these attacks.

11
Intrusion Scenario 2
acis.as.cmu.edu
Proxy
Email Server

RC40
SSL
Oracle Net 8
Activist Hacker
Web Server
Form Server
DB
CMU DOMAIN
Mistral.cmu.edu
Fire Wall
12
Intrusion 3 Attacker Profile

• Former employee of CMU
• Attacker Former/Disgruntled Employee
• Resources Have knowledge of process.
• Time Usually in a short period after being
  fired, also can be very patient.
• Tools Use customized system program.
• Access Easily get into the the CMU domain.
  Connect to the system through pre-setup laptop.
• Risk Understand risk
• Objective To get some money/To screw up the
  system.

13
Intrusion 3 Level of Attack

• Sophisticated Attack
• The attacker familiar with the internal system
• May already setup security loopholes in the
  system.
• There is a very low frequency of these attacks

14
Intrusion Scenario 3 Compromise Database
acis.as.cmu.edu
Proxy
Email Server

RC40
SSL
Oracle Net 8
Hacker
Web Server
Form Server
DB
CMU DOMAIN
Mistral.cmu.edu
Fire Wall
15
Compromisable Components

• Oracle Database
• Web Server
• Form Server
• Firewall

16
Questions?